Posts Tagged ‘SSL’

The availability of Let’s Encrypt across most modern browsers’ trusted stores is pretty awesome. Combine that with an easy to use interface for generating/renewing certificates and you’ve got a winning platform.

Today we’ll look into generating a certificate with Let’s Encrypt to secure a Splunk Enterprise installation. This howto assumes a couple things:

Splunk is installed under /opt/splunk

Let’s Encrypt binaries are under /opt/letsencrypt

Let’s get started! First make a backup of current certs under /opt/splunk/etc/auth/splunkweb (privkey.pem and cert.pem). To do this, we’ll use the standalone temporary webroot feature from Let’s Encrypt, which will listen on port 80 for incoming connections to validate the domain/host. Make sure that’s open. Run ‘letsencrypt-auto certonly’ from the Let’s Encrypt folder, then select the temporary webserver option. Your new certs should be generated under the /etc/letsencrypt/live folder.

Next up we’ll simply link the generated certs to the Splunk folders. With default folders in consideration, do this:

cd /opt/splunk/etc/auth/splunkweb

ln -s /etc/letsencrypt/live/ (YOUR HOST) /privkey.pem ./privkey.pem

ln -s /etc/letsencrypt/live/ (YOUR HOST) /fullchain.pem ./cert.pem

After that, log into the Splunk interface on port 8000 (default) and go to the Administration section, then enable SSL for the Splunk Web component. After a server restart, it should start serving SSL content over port 8000.

Since our webserver resides on IIS here at our company (SBS 2003), I had to secure one of the websites and make sure that whomever tried to access it via HTTP was automatically and transparently transferred over to HTTPS. There’s no “1-click” way to do it in IIS, it must be done in one of 2 ways:

1) Edit the HTML files to do a redirect

2) Use a redirection website

Since there was a bunch of PHP/HTML/other files in that particular website, it seemed much simpler to just go with the second option. Here’s a rundown of the steps to do it:

Open IIS Manager and select properties for the website for which you want to require SSL. For HTTP port, use anything other than 80, like 8989. For SSL port, use the default 443.

Now go to the “Directory Security” tab, click Secure Communications, click Edit, check the “Require secure channel (SSL)” box and check the “Require 128-bit encryption” box too. Restart IIS. If you try to browse http://yourserver.com:8888 you should receive a “The page must be viewed over a secure channel” message. If not, something is not working properly.

Now, create a new website in IIS, then name it something like “SSL redir for yourserver.com”. Choose port 80 as the HTTP port. For path, point it to anywhere in your server, like C:inetpubwwwroot (this doesn’t matter, we’re gonna change it). Give it read permissions. Now go to the properties of the newly created website, and select the “Home Directory” tab. Change “The content for this resource should come from:” to “A redirection to a URL”. In the “Redirect to:” textbox, enter https://yourserver.com. You can also optionally select “A permanent redirection for this resource”, which will cause bookmarks to update to the new URL. DO NOT select “The exact URL entered above” or “A directory below URL entered”. Restart IIS. Now try to browse to http://yourserver.com and it should redirect to https://yourserver.com automatically.

Little note: the redirect URL is sent back to the client, so if you type https://localhost as the redirect, the client browser will try to redirect to localhost on the client machine, which won’t exist. Same thing exists for NetBIOS names.